Skip to main content

Member login with email

Why session based login#

  1. user can see the list of devices he is logged in from.
  2. user can terminate a session and invalidate a login token anytime.
  3. While entering credentials , password is sent in encrypted form over the wire.
  4. Challenge based authentication to avoid/slow down brute force attacks.

API#

For any client app to perform login and generate a login token, the client app must first request a challenge. Following is the api to request challenge data.

/session/challenge/<username>

HEADERS

x-redirect-link : \<Redirect link after successfull login>

Ex - /v2/session/challenge/abc@xyz.com

Response#

{    "_id": "5b643fe372ad9f7221f8b958",    "type": "USER",    "status": "INITIATED",    "details": {        "pow_secret": "4962",        "pow_salt": "d8b9b3f2bd6e1d0052d1b96153b22add4e07f2ccdc0a5bf0b106700c6f03763d",        "pow_hash_prefix": "b1550351b3",        "pow_done": false,        "_id": "5b643fe372ad9fc311f8b959",        "pow_rounds": 100000,        "key_length": 32    },    "expiring": 1533296911.824,    "__v": 0}

Response Fields#

FieldsDescriptionRequired
_idstring Session id
โœ”
details.pow_secretstring The number from where the guessing needs to be started
โœ”
details.pow_saltstring Salt for pbkdf2 algorithm
โœ”
details.pow_hash_prefixstring Prefix of the correct key
โœ”
details.pow_roundsint Number of rounds for pbkdf2
โœ”
details.key_lengthint Key length to generate after pbkdf2
โœ”

Steps for guessing the key#

  1. Start with pow_secret current value and store it in a variable 'secret'.

  2. Perform pbkdf2 and store the result in a variable called 'key'.

pbkdf2(secret, pow_salt, pow_rounds, key_length, 'sha512').
  1. See if the newly derived 'key' has the same prefix as 'pow_hash_prefix', if yes then this is the correct key and your guessing is done. If the prefix does not match increment secret i.e. secret = secret+1 and go back to step 1.

  2. Keep doing until u guess the correct key.

Steps for encrypting the password#

This step assumes that you have already guessed the correct encryptiong key by following the steps in the previous section

  1. You have to encrypt the user's password using the key derived in the previous section.

  2. The algorithm to encrypt the password is 'aes-256-cbc'.

  3. Here is the sample code to encrypt password in nodejs.

async function encryptPassword(password: string, key: Buffer, iv: Buffer): Promise<string> {    let cipherName = "aes-256-cbc"
    let cipher = crypto.createCipheriv(cipherName, key, iv);    cipher.setAutoPadding(true);    let crypted = cipher.update(password, "utf8", 'hex')    crypted += cipher.final('hex')    return crypted;}
let iv = crypto.randomBytes(16);let encryptedPass = await encryptPassword(pwd, key, iv);

Verifying the challenge#

This step assumes u have performed the steps in above mentioned sections

URL for verifying challenge is

/session/challenge/<username>
Ex - POST /v2/session/challenge/abc@xyz.com

Request#

{    "id":"5b643fe372ad9f7221f8b958",    "refNo":"iv converted into hex string",    "password":"encrypted password"}

Response#

{    "token":"<token>"}